sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2024-11-22 17:46:37 +03:00
Code Issues Packages Projects Releases Wiki Activity
52e44df86c
sqlmap/lib/controller/controller.py

440 lines
16 KiB
Python
Raw Normal View History

After the storm, a restore..
2008-10-15 19:38:22 +04:00
#!/usr/bin/env python
"""
propsets..
2008-10-15 19:56:32 +04:00
$Id$
After the storm, a restore..
2008-10-15 19:38:22 +04:00
large commit with copyright header modifications
2010-10-14 18:41:14 +04:00
Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
sorry, cosmetics
2010-10-15 03:18:29 +04:00
See the file 'doc/COPYING' for copying permission
After the storm, a restore..
2008-10-15 19:38:22 +04:00
"""
fix for that duplicates
2010-10-15 04:34:16 +04:00
import re
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.controller.action import action
from lib.controller.checks import checkSqlInjection
some updates
2010-10-11 16:26:35 +04:00
from lib.controller.checks import heuristicCheckSqlInjection
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.controller.checks import checkDynParam
from lib.controller.checks import checkStability
from lib.controller.checks import checkString
Minor adjustments and minor bug fixes. Documentation almost complete for sqlmap 0.6.3.
2008-12-12 22:06:31 +03:00
from lib.controller.checks import checkRegexp
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.controller.checks import checkConnection
added null connection check
2010-09-16 12:43:10 +04:00
from lib.controller.checks import checkNullConnection
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work!
2010-11-28 21:10:54 +03:00
from lib.core.agent import agent
from lib.core.common import dataToStdout
more unicode refactoring
2010-06-02 16:45:40 +04:00
from lib.core.common import getUnicode
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.core.common import paramToDict
Minor bug fix
2010-03-05 18:25:53 +03:00
from lib.core.common import parseTargetUrl
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.core.common import readInput
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
further enum refactoring
2010-11-08 12:44:32 +03:00
from lib.core.enums import HTTPMETHOD
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work!
2010-11-28 21:10:54 +03:00
from lib.core.enums import PAYLOAD
further enum refactoring
2010-11-08 12:44:32 +03:00
from lib.core.enums import PLACE
Fixes #177 - Don't exit at exception if in "multiple targets" mode (-l or -g)
2010-03-16 15:14:02 +03:00
from lib.core.exception import exceptionsTuple
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.core.exception import sqlmapNotVulnerableException
added some user interaction when page is dynamic
2010-10-12 19:49:04 +04:00
from lib.core.exception import sqlmapSilentQuitException
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work!
2010-11-28 21:10:54 +03:00
from lib.core.exception import sqlmapValueException
some update
2010-09-30 23:45:23 +04:00
from lib.core.exception import sqlmapUserQuitException
After the storm, a restore..
2008-10-15 19:38:22 +04:00
from lib.core.session import setInjection
minor cosmetic update
2010-03-15 14:55:13 +03:00
from lib.core.target import initTargetEnv
from lib.core.target import setupTargetEnv
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work!
2010-11-28 21:10:54 +03:00
def __selectInjection():
After the storm, a restore..
2008-10-15 19:38:22 +04:00
"""
Selection function for injection place, parameters and type.
"""
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work!
2010-11-28 21:10:54 +03:00
points = []
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work!
2010-11-28 21:10:54 +03:00
for i in xrange(0, len(kb.injections)):
place = kb.injections[i].place
parameter = kb.injections[i].parameter
ptype = kb.injections[i].ptype
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work!
2010-11-28 21:10:54 +03:00
point = (place, parameter, ptype)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work!
2010-11-28 21:10:54 +03:00
if point not in points:
points.append(point)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work!
2010-11-28 21:10:54 +03:00
if len(points) == 1:
kb.injection = kb.injections[0]
cosmeticados
2010-11-30 17:48:13 +03:00
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work!
2010-11-28 21:10:54 +03:00
elif len(points) > 1:
message = "there were multiple injection points, please select "
message += "the one to use for following injections:\n"
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work!
2010-11-28 21:10:54 +03:00
points = []
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work!
2010-11-28 21:10:54 +03:00
for i in xrange(0, len(kb.injections)):
place = kb.injections[i].place
parameter = kb.injections[i].parameter
ptype = kb.injections[i].ptype
point = (place, parameter, ptype)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work!
2010-11-28 21:10:54 +03:00
if point not in points:
points.append(point)
Proper saving and resuming when more than a parameter are injectable. Minor bug fix to --stacked-test Minor code refactoring.
2010-11-29 04:04:42 +03:00
ptype = PAYLOAD.PARAMETER[ptype] if isinstance(ptype, int) else ptype
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work!
2010-11-28 21:10:54 +03:00
message += "[%d] place: %s, parameter: " % (i, place)
Proper saving and resuming when more than a parameter are injectable. Minor bug fix to --stacked-test Minor code refactoring.
2010-11-29 04:04:42 +03:00
message += "%s, type: %s" % (parameter, ptype)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work!
2010-11-28 21:10:54 +03:00
if i == 0:
message += " (default)"
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work!
2010-11-28 21:10:54 +03:00
message += "\n"
message += "[q] Quit"
select = readInput(message, default="0")
if select.isdigit() and int(select) < len(kb.injections) and int(select) >= 0:
index = int(select)
elif select[0] in ( "Q", "q" ):
raise sqlmapUserQuitException
else:
errMsg = "invalid choice"
Minor fix
2010-11-29 02:33:51 +03:00
raise sqlmapValueException, errMsg
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work!
2010-11-28 21:10:54 +03:00
kb.injection = kb.injections[index]
def __formatInjection(inj):
Prioritize DBMS fingerprint based on DBMS (<dbms>) identified during the detection phase. Minor bug fix to properly handle the case that no injections are found. Nicer display of injection vulnerabilities detected. Minor code refactoring.
2010-11-29 00:27:47 +03:00
data = "Place: %s\n" % inj.place
data += "Parameter: %s\n" % inj.parameter
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work!
2010-11-28 21:10:54 +03:00
for stype, sdata in inj.data.items():
Minor layout adjustment
2010-12-03 19:11:35 +03:00
data += " Type: %s\n" % PAYLOAD.SQLINJECTION[stype]
Added tag <epayload> to the payloads.xml's <test> tag to define which payload to use when exploiting the test type. Removed some useless tests. Moved <error> from queries.xml to payloads.xml as it makes more sense. Beeps at sql inj found only if --beep is provided. Minor fix in order to be able to pickle advancedDict() objects. Minor code refactoring. Removed useless folders.
2010-12-01 20:09:52 +03:00
data += " Title: %s\n" % sdata.title
data += " Payload: %s\n\n" % sdata.payload
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work!
2010-11-28 21:10:54 +03:00
Prioritize DBMS fingerprint based on DBMS (<dbms>) identified during the detection phase. Minor bug fix to properly handle the case that no injections are found. Nicer display of injection vulnerabilities detected. Minor code refactoring.
2010-11-29 00:27:47 +03:00
return data
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work!
2010-11-28 21:10:54 +03:00
def __showInjections():
Added counter of total HTTP(s) requests done during detection phase
2010-12-07 15:33:47 +03:00
header = "sqlmap identified the following injection points "
code refactoring
2010-12-07 16:34:06 +03:00
header += "with %d HTTP(s) requests" % kb.testQueryCount
Prioritize DBMS fingerprint based on DBMS (<dbms>) identified during the detection phase. Minor bug fix to properly handle the case that no injections are found. Nicer display of injection vulnerabilities detected. Minor code refactoring.
2010-11-29 00:27:47 +03:00
data = ""
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work!
2010-11-28 21:10:54 +03:00
for inj in kb.injections:
Prioritize DBMS fingerprint based on DBMS (<dbms>) identified during the detection phase. Minor bug fix to properly handle the case that no injections are found. Nicer display of injection vulnerabilities detected. Minor code refactoring.
2010-11-29 00:27:47 +03:00
data += __formatInjection(inj)
cosmeticados
2010-11-30 17:48:13 +03:00
data = data.rstrip("\n")
fix for a bug reported by ragos@joker.ms (AttributeError: 'NoneType' object has no attribute 'write')
2011-01-01 15:23:02 +03:00
conf.dumper.technic(header, data)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Got rid of unreliable 'ORDER BY' technique to detect UNION query SQL injection, consequently switch --union-tech has gone now. Minor code refactoring too.
2010-11-29 20:18:38 +03:00
def __saveToSessionFile():
for inj in kb.injections:
Now, if the back-end dbms type has been identified by the detection engine, skips the fingerprint phase. Major code refactoring and commenting to detection engine. Ask user whether or not to proceed to test remaining parameters after an injection point has been identified. Restore beep at SQL injection find. Avoid reuse of same variable in DBMS handler code. Minor adjustment of payloads XML file.
2010-12-01 01:40:25 +03:00
if inj.place is None or inj.parameter is None:
continue
Got rid of unreliable 'ORDER BY' technique to detect UNION query SQL injection, consequently switch --union-tech has gone now. Minor code refactoring too.
2010-11-29 20:18:38 +03:00
setInjection(inj)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
def start():
"""
This function calls a function that performs checks on both URL
stability and all GET, POST, Cookie and User-Agent parameters to
check if they are dynamic and SQL injection affected
"""
Fixes #177 - Don't exit at exception if in "multiple targets" mode (-l or -g)
2010-03-16 15:14:02 +03:00
if not conf.start:
update
2010-09-26 18:56:55 +04:00
return False
Fixes #177 - Don't exit at exception if in "multiple targets" mode (-l or -g)
2010-03-16 15:14:02 +03:00
Major enhancement to directly connect to the dbms without passing via a sql injection: adapted code accordingly - see #158. This feature relies on python third-party libraries to be able to connect to the database. For the moment it has been implemented for MySQL (with python-mysqldb module) and PostgreSQL (with python-psycopg2 module). Minor layout adjustments.
2010-03-27 02:23:25 +03:00
if conf.direct:
initTargetEnv()
setupTargetEnv()
action()
update
2010-09-26 18:56:55 +04:00
return True
Major enhancement to directly connect to the dbms without passing via a sql injection: adapted code accordingly - see #158. This feature relies on python third-party libraries to be able to connect to the database. For the moment it has been implemented for MySQL (with python-mysqldb module) and PostgreSQL (with python-psycopg2 module). Minor layout adjustments.
2010-03-27 02:23:25 +03:00
update (--forms acts now more like -g switch)
2010-11-15 14:34:57 +03:00
if conf.url and not conf.forms:
kb.targetUrls.add(( conf.url, conf.method, conf.data, conf.cookie ))
After the storm, a restore..
2008-10-15 19:38:22 +04:00
if conf.configFile and not kb.targetUrls:
errMsg = "you did not edit the configuration file properly, set "
Adapted the code to support a list of targets from a text file (Burp log file) or from a directory (WebScarab conversations folder) with command line option -l.
2008-11-20 20:56:09 +03:00
errMsg += "the target url, list of targets or google dork"
After the storm, a restore..
2008-10-15 19:38:22 +04:00
logger.error(errMsg)
update
2010-09-26 18:56:55 +04:00
return False
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Completed support to get the list of targets from WebScarab/Burp proxies log file and updated the documentation
2008-11-28 01:33:33 +03:00
if kb.targetUrls and len(kb.targetUrls) > 1:
infoMsg = "sqlmap got a total of %d targets" % len(kb.targetUrls)
logger.info(infoMsg)
Major enhancement to directly connect to the dbms without passing via a sql injection: adapted code accordingly - see #158. This feature relies on python third-party libraries to be able to connect to the database. For the moment it has been implemented for MySQL (with python-mysqldb module) and PostgreSQL (with python-psycopg2 module). Minor layout adjustments.
2010-03-27 02:23:25 +03:00
hostCount = 0
cookieStr = ""
setCookieAsInjectable = True
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Completed support to get the list of targets from WebScarab/Burp proxies log file and updated the documentation
2008-11-28 01:33:33 +03:00
for targetUrl, targetMethod, targetData, targetCookie in kb.targetUrls:
Fixes #177 - Don't exit at exception if in "multiple targets" mode (-l or -g)
2010-03-16 15:14:02 +03:00
try:
conf.url = targetUrl
conf.method = targetMethod
conf.data = targetData
conf.cookie = targetCookie
injData = []
fix for skipping non-GET urls
2010-10-15 13:54:29 +04:00
fix for that duplicates
2010-10-15 04:34:16 +04:00
initTargetEnv()
parseTargetUrl()
fix for skipping non-GET urls
2010-10-15 13:54:29 +04:00
fix for that duplicates
2010-10-15 04:34:16 +04:00
testSqlInj = False
further enum refactoring
2010-11-08 12:44:32 +03:00
if PLACE.GET in conf.parameters:
for parameter in re.findall(r"([^=]+)=[^&]+&?", conf.parameters[PLACE.GET]):
paramKey = (conf.hostname, conf.path, PLACE.GET, parameter)
fix for that duplicates
2010-10-15 04:34:16 +04:00
if paramKey not in kb.testedParams:
testSqlInj = True
break
fix for skipping non-GET urls
2010-10-15 13:54:29 +04:00
else:
paramKey = (conf.hostname, conf.path, None, None)
if paramKey not in kb.testedParams:
testSqlInj = True
bug fix of re-introduced bug (in multiple target mode sites with similar URI weren't skipped)
2010-12-23 14:28:13 +03:00
testSqlInj &= (conf.hostname, conf.path, None, None) not in kb.testedParams
fix for that duplicates
2010-10-15 04:34:16 +04:00
if not testSqlInj:
infoMsg = "skipping '%s'" % targetUrl
logger.info(infoMsg)
continue
Fixes #177 - Don't exit at exception if in "multiple targets" mode (-l or -g)
2010-03-16 15:14:02 +03:00
if conf.multipleTargets:
hostCount += 1
cosmetics regarding --forms
2010-11-15 14:50:33 +03:00
if conf.forms:
Minor bug fix for --forms
2010-11-29 15:46:18 +03:00
message = "[#%d] form:\n%s %s" % (hostCount, conf.method or HTTPMETHOD.GET, targetUrl)
cosmetics regarding --forms
2010-11-15 14:50:33 +03:00
else:
message = "%s %d:\n%s %s" % ("url", hostCount, conf.method or HTTPMETHOD.GET, targetUrl)
Completed support to get the list of targets from WebScarab/Burp proxies log file and updated the documentation
2008-11-28 01:33:33 +03:00
Fixes #177 - Don't exit at exception if in "multiple targets" mode (-l or -g)
2010-03-16 15:14:02 +03:00
if conf.cookie:
message += "\nCookie: %s" % conf.cookie
Completed support to get the list of targets from WebScarab/Burp proxies log file and updated the documentation
2008-11-28 01:33:33 +03:00
Fixes #177 - Don't exit at exception if in "multiple targets" mode (-l or -g)
2010-03-16 15:14:02 +03:00
if conf.data:
update (--forms acts now more like -g switch)
2010-11-15 14:34:57 +03:00
message += "\nPOST data: %s" % repr(conf.data) if conf.data else ""
if conf.forms:
if conf.method == HTTPMETHOD.GET and targetUrl.find("?") == -1:
continue
message += "\ndo you want to test this form? [Y/n/q] "
test = readInput(message, default="Y")
if not test or test[0] in ("y", "Y"):
if conf.method == HTTPMETHOD.POST:
message = "Edit POST data [default: %s]: " % (conf.data if conf.data else "")
conf.data = readInput(message, default=conf.data)
elif conf.method == HTTPMETHOD.GET:
if conf.url.find("?") > -1:
firstPart = conf.url[:conf.url.find("?")]
secondPart = conf.url[conf.url.find("?")+1:]
message = "Edit GET data [default: %s]: " % secondPart
test = readInput(message, default=secondPart)
conf.url = "%s?%s" % (firstPart, test)
elif test[0] in ("n", "N"):
continue
elif test[0] in ("q", "Q"):
break
After the storm, a restore..
2008-10-15 19:38:22 +04:00
update
2010-12-23 17:06:22 +03:00
elif conf.realTest:
more minor updates
2010-12-20 13:48:53 +03:00
logger.info(message)
else:
update (--forms acts now more like -g switch)
2010-11-15 14:34:57 +03:00
message += "\ndo you want to test this url? [Y/n/q]"
test = readInput(message, default="Y")
Completed support to get the list of targets from WebScarab/Burp proxies log file and updated the documentation
2008-11-28 01:33:33 +03:00
update (--forms acts now more like -g switch)
2010-11-15 14:34:57 +03:00
if not test or test[0] in ("y", "Y"):
pass
elif test[0] in ("n", "N"):
continue
elif test[0] in ("q", "Q"):
break
After the storm, a restore..
2008-10-15 19:38:22 +04:00
update (--forms acts now more like -g switch)
2010-11-15 14:34:57 +03:00
logMsg = "testing url %s" % targetUrl
logger.info(logMsg)
Fixes #172 - also cookies are parsed from burp/webscarab logs (-l) and request file (-r) now
2010-03-16 18:21:42 +03:00
Fixes #177 - Don't exit at exception if in "multiple targets" mode (-l or -g)
2010-03-16 15:14:02 +03:00
setupTargetEnv()
added response time kb attribute
2010-12-03 16:19:34 +03:00
if not checkConnection(suppressOutput=conf.forms) or not checkString() or not checkRegexp():
After the storm, a restore..
2008-10-15 19:38:22 +04:00
continue
Split character for tamper scripts (--tamper option) is now comma, not semi-colon. Minor enhancement
2010-10-17 01:52:16 +04:00
if conf.nullConnection:
added --null-connection as an experimental option
2010-09-16 14:01:33 +04:00
checkNullConnection()
added null connection check
2010-09-16 12:43:10 +04:00
changes regarding Feature #160
2010-09-26 18:02:13 +04:00
if not conf.dropSetCookie and conf.cj:
Fixes #177 - Don't exit at exception if in "multiple targets" mode (-l or -g)
2010-03-16 15:14:02 +03:00
for _, cookie in enumerate(conf.cj):
more unicode refactoring
2010-06-02 16:45:40 +04:00
cookie = getUnicode(cookie)
Fixes #177 - Don't exit at exception if in "multiple targets" mode (-l or -g)
2010-03-16 15:14:02 +03:00
index = cookie.index(" for ")
Fixes #172 - also cookies are parsed from burp/webscarab logs (-l) and request file (-r) now
2010-03-16 18:21:42 +03:00
Fixes #177 - Don't exit at exception if in "multiple targets" mode (-l or -g)
2010-03-16 15:14:02 +03:00
cookieStr += "%s;" % cookie[8:index]
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Fixes #177 - Don't exit at exception if in "multiple targets" mode (-l or -g)
2010-03-16 15:14:02 +03:00
if cookieStr:
cookieStr = cookieStr[:-1]
Fixes #172 - also cookies are parsed from burp/webscarab logs (-l) and request file (-r) now
2010-03-16 18:21:42 +03:00
further enum refactoring
2010-11-08 12:44:32 +03:00
if PLACE.COOKIE in conf.parameters:
Fixes #177 - Don't exit at exception if in "multiple targets" mode (-l or -g)
2010-03-16 15:14:02 +03:00
message = "you provided an HTTP Cookie header value. "
message += "The target url provided its own Cookie within "
message += "the HTTP Set-Cookie header. Do you want to "
message += "continue using the HTTP Cookie values that "
message += "you provided? [Y/n] "
test = readInput(message, default="Y")
Fixes #172 - also cookies are parsed from burp/webscarab logs (-l) and request file (-r) now
2010-03-16 18:21:42 +03:00
Fixes #177 - Don't exit at exception if in "multiple targets" mode (-l or -g)
2010-03-16 15:14:02 +03:00
if not test or test[0] in ("y", "Y"):
setCookieAsInjectable = False
Fixes #172 - also cookies are parsed from burp/webscarab logs (-l) and request file (-r) now
2010-03-16 18:21:42 +03:00
Fixes #177 - Don't exit at exception if in "multiple targets" mode (-l or -g)
2010-03-16 15:14:02 +03:00
if setCookieAsInjectable:
revert of some HTTP headers handling
2010-11-08 16:26:45 +03:00
conf.httpHeaders.append(("Cookie", cookieStr))
further enum refactoring
2010-11-08 12:44:32 +03:00
conf.parameters[PLACE.COOKIE] = cookieStr
__paramDict = paramToDict(PLACE.COOKIE, cookieStr)
Fixes #172 - also cookies are parsed from burp/webscarab logs (-l) and request file (-r) now
2010-03-16 18:21:42 +03:00
Fixes #177 - Don't exit at exception if in "multiple targets" mode (-l or -g)
2010-03-16 15:14:02 +03:00
if __paramDict:
further enum refactoring
2010-11-08 12:44:32 +03:00
conf.paramDict[PLACE.COOKIE] = __paramDict
Code cleanup
2010-03-21 03:39:44 +03:00
# TODO: consider the following line in __setRequestParams()
Fixes #177 - Don't exit at exception if in "multiple targets" mode (-l or -g)
2010-03-16 15:14:02 +03:00
__testableParameters = True
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Added tag <epayload> to the payloads.xml's <test> tag to define which payload to use when exploiting the test type. Removed some useless tests. Moved <error> from queries.xml to payloads.xml as it makes more sense. Beeps at sql inj found only if --beep is provided. Minor fix in order to be able to pickle advancedDict() objects. Minor code refactoring. Removed useless folders.
2010-12-01 20:09:52 +03:00
if (len(kb.injections) == 0 or (len(kb.injections) == 1 and kb.injections[0].place is None)) \
and (kb.injection.place is None or kb.injection.parameter is None):
Fixes #177 - Don't exit at exception if in "multiple targets" mode (-l or -g)
2010-03-16 15:14:02 +03:00
if not conf.string and not conf.regexp and not conf.eRegexp:
# NOTE: this is not needed anymore, leaving only to display
# a warning message to the user in case the page is not stable
checkStability()
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
minor optimization
2010-11-08 02:37:15 +03:00
# Do a little prioritization reorder of a testable parameter list
parameters = conf.parameters.keys()
More replacements for refactoring. Minor layout adjustments. Alignment of conffile/optiondict/cmdline parameters.
2010-11-08 15:36:48 +03:00
further enum refactoring
2010-11-08 12:44:32 +03:00
for place in (PLACE.URI, PLACE.POST, PLACE.GET):
minor optimization
2010-11-08 02:37:15 +03:00
if place in parameters:
parameters.remove(place)
parameters.insert(0, place)
Now, if the back-end dbms type has been identified by the detection engine, skips the fingerprint phase. Major code refactoring and commenting to detection engine. Ask user whether or not to proceed to test remaining parameters after an injection point has been identified. Restore beep at SQL injection find. Avoid reuse of same variable in DBMS handler code. Minor adjustment of payloads XML file.
2010-12-01 01:40:25 +03:00
proceed = True
minor optimization
2010-11-08 02:37:15 +03:00
for place in parameters:
Apply --level also to User-Agent (level >= 4) and Cookie (level >= 3). GET and POST parameters are always tested.
2010-11-29 19:33:20 +03:00
# Test User-Agent header only if --level >= 4
condition = (place == "User-Agent" and conf.level < 4)
# Test Cookie header only if --level >= 3
condition |= (place == "Cookie" and conf.level < 3)
if condition:
continue
Fixes #177 - Don't exit at exception if in "multiple targets" mode (-l or -g)
2010-03-16 15:14:02 +03:00
if not conf.paramDict.has_key(place):
continue
Updated to sqlmap 0.7 release candidate 1
2009-04-22 15:48:07 +04:00
Fixes #177 - Don't exit at exception if in "multiple targets" mode (-l or -g)
2010-03-16 15:14:02 +03:00
paramDict = conf.paramDict[place]
for parameter, value in paramDict.items():
bug fix for Ctrl+C
2010-12-31 18:00:19 +03:00
if not proceed:
break
Fixes #177 - Don't exit at exception if in "multiple targets" mode (-l or -g)
2010-03-16 15:14:02 +03:00
testSqlInj = True
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work!
2010-11-28 21:10:54 +03:00
fix for that duplicates
2010-10-15 04:34:16 +04:00
paramKey = (conf.hostname, conf.path, place, parameter)
Fixes #177 - Don't exit at exception if in "multiple targets" mode (-l or -g)
2010-03-16 15:14:02 +03:00
fix for Feature #187 (Skip duplicates parameters in -g)
2010-07-30 00:01:04 +04:00
if paramKey in kb.testedParams:
testSqlInj = False
fix for that duplicates
2010-10-15 04:34:16 +04:00
infoMsg = "skipping previously processed %s parameter '%s'" % (place, parameter)
logger.info(infoMsg)
Fixes #177 - Don't exit at exception if in "multiple targets" mode (-l or -g)
2010-03-16 15:14:02 +03:00
# Avoid dinamicity test if the user provided the
# parameter manually
fix for Feature #187 (Skip duplicates parameters in -g)
2010-07-30 00:01:04 +04:00
elif parameter in conf.testParameter:
Fixes #177 - Don't exit at exception if in "multiple targets" mode (-l or -g)
2010-03-16 15:14:02 +03:00
pass
fix for that duplicates
2010-10-15 04:34:16 +04:00
Fixes #177 - Don't exit at exception if in "multiple targets" mode (-l or -g)
2010-03-16 15:14:02 +03:00
elif not checkDynParam(place, parameter, value):
warnMsg = "%s parameter '%s' is not dynamic" % (place, parameter)
logger.warn(warnMsg)
fix for that duplicates
2010-10-15 04:34:16 +04:00
Fixes #177 - Don't exit at exception if in "multiple targets" mode (-l or -g)
2010-03-16 15:14:02 +03:00
else:
logMsg = "%s parameter '%s' is dynamic" % (place, parameter)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
logger.info(logMsg)
fix for Feature #187 (Skip duplicates parameters in -g)
2010-07-30 00:01:04 +04:00
kb.testedParams.add(paramKey)
Fixes #177 - Don't exit at exception if in "multiple targets" mode (-l or -g)
2010-03-16 15:14:02 +03:00
if testSqlInj:
kids, don't use this at home
2010-12-20 13:13:14 +03:00
check = heuristicCheckSqlInjection(place, parameter, value)
update
2010-12-23 17:06:22 +03:00
if not check and conf.realTest:
kids, don't use this at home
2010-12-20 13:13:14 +03:00
continue
fix for that duplicates
2010-10-15 04:34:16 +04:00
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work!
2010-11-28 21:10:54 +03:00
logMsg = "testing sql injection on %s " % place
logMsg += "parameter '%s'" % parameter
logger.info(logMsg)
fix for that duplicates
2010-10-15 04:34:16 +04:00
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work!
2010-11-28 21:10:54 +03:00
injection = checkSqlInjection(place, parameter, value)
minor fix for end phase (Ctrl+C)
2010-12-22 02:55:55 +03:00
proceed = not kb.endDetection
Now, if the back-end dbms type has been identified by the detection engine, skips the fingerprint phase. Major code refactoring and commenting to detection engine. Ask user whether or not to proceed to test remaining parameters after an injection point has been identified. Restore beep at SQL injection find. Avoid reuse of same variable in DBMS handler code. Minor adjustment of payloads XML file.
2010-12-01 01:40:25 +03:00
if injection is not None and injection.place is not None:
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work!
2010-11-28 21:10:54 +03:00
kb.injections.append(injection)
Now, if the back-end dbms type has been identified by the detection engine, skips the fingerprint phase. Major code refactoring and commenting to detection engine. Ask user whether or not to proceed to test remaining parameters after an injection point has been identified. Restore beep at SQL injection find. Avoid reuse of same variable in DBMS handler code. Minor adjustment of payloads XML file.
2010-12-01 01:40:25 +03:00
Minor fix for ctrl+c during detection phase
2010-12-22 16:15:44 +03:00
# In case when user wants to end detection phase (Ctrl+C)
if not proceed:
break
Now, if the back-end dbms type has been identified by the detection engine, skips the fingerprint phase. Major code refactoring and commenting to detection engine. Ask user whether or not to proceed to test remaining parameters after an injection point has been identified. Restore beep at SQL injection find. Avoid reuse of same variable in DBMS handler code. Minor adjustment of payloads XML file.
2010-12-01 01:40:25 +03:00
msg = "%s parameter '%s' " % (injection.place, injection.parameter)
msg += "is vulnerable. Do you want to keep testing the others? [y/N] "
test = readInput(msg, default="N")
if test[0] in ("n", "N"):
proceed = False
bug fix of re-introduced bug (in multiple target mode sites with similar URI weren't skipped)
2010-12-23 14:28:13 +03:00
paramKey = (conf.hostname, conf.path, None, None)
kb.testedParams.add(paramKey)
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work!
2010-11-28 21:10:54 +03:00
else:
Fixes #177 - Don't exit at exception if in "multiple targets" mode (-l or -g)
2010-03-16 15:14:02 +03:00
warnMsg = "%s parameter '%s' is not " % (place, parameter)
warnMsg += "injectable"
logger.warn(warnMsg)
Updated work on multiple targets support (works for WebScarab conversations/ folder, still to work out for Burp log file). Major bug fix in the controller library.
2008-11-22 04:57:22 +03:00
Now, if the back-end dbms type has been identified by the detection engine, skips the fingerprint phase. Major code refactoring and commenting to detection engine. Ask user whether or not to proceed to test remaining parameters after an injection point has been identified. Restore beep at SQL injection find. Avoid reuse of same variable in DBMS handler code. Minor adjustment of payloads XML file.
2010-12-01 01:40:25 +03:00
if len(kb.injections) == 0 or (len(kb.injections) == 1 and kb.injections[0].place is None):
update
2010-12-23 17:06:22 +03:00
if not conf.realTest:
minor adjustments
2010-12-21 03:25:03 +03:00
errMsg = "all parameters are not injectable, try "
update of mysql comment versions
2010-12-31 15:42:12 +03:00
errMsg += "a higher --level/--risk and/or --text-only switch"
minor adjustments
2010-12-21 03:25:03 +03:00
raise sqlmapNotVulnerableException, errMsg
else:
errMsg = "it seems that all parameters are not injectable"
raise sqlmapNotVulnerableException, errMsg
Rewrite from scratch the detection engine. Now it performs checks defined in payload.xml. User can specify its own. All (hopefully) functionalities should still be working. Added two switches, --level and --risk to specify which injection tests and boundaries to use. The main advantage now is that sqlmap is able to identify initially which injection types are present so for instance if boolean-based blind is not supported, but error-based is, sqlmap will keep going and work!
2010-11-28 21:10:54 +03:00
else:
__saveToSessionFile()
__showInjections()
__selectInjection()
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Added tag <epayload> to the payloads.xml's <test> tag to define which payload to use when exploiting the test type. Removed some useless tests. Moved <error> from queries.xml to payloads.xml as it makes more sense. Beeps at sql inj found only if --beep is provided. Minor fix in order to be able to pickle advancedDict() objects. Minor code refactoring. Removed useless folders.
2010-12-01 20:09:52 +03:00
if kb.injection.place is not None and kb.injection.parameter is not None:
minor update
2011-01-02 00:11:29 +03:00
if kb.testQueryCount == 0 and conf.realTest:
condition = False
elif conf.multipleTargets:
Fixes #177 - Don't exit at exception if in "multiple targets" mode (-l or -g)
2010-03-16 15:14:02 +03:00
message = "do you want to exploit this SQL injection? [Y/n] "
exploit = readInput(message, default="Y")
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Fixes #177 - Don't exit at exception if in "multiple targets" mode (-l or -g)
2010-03-16 15:14:02 +03:00
condition = not exploit or exploit[0] in ("y", "Y")
else:
condition = True
if condition:
action()
added some fancy Ctrl+C when having multiple targets
2010-11-05 18:59:25 +03:00
except KeyboardInterrupt:
minor fix
2010-11-05 19:03:12 +03:00
if conf.multipleTargets:
cosmetics
2010-11-05 19:08:42 +03:00
warnMsg = "Ctrl+C detected in multiple target mode"
minor fix
2010-11-05 19:03:12 +03:00
logger.warn(warnMsg)
added some fancy Ctrl+C when having multiple targets
2010-11-05 18:59:25 +03:00
Cosmetics
2010-11-07 19:23:03 +03:00
message = "do you want to skip to the next target in list? [Y/n/q]"
minor fix
2010-11-05 19:03:12 +03:00
test = readInput(message, default="Y")
added some fancy Ctrl+C when having multiple targets
2010-11-05 18:59:25 +03:00
minor fix
2010-11-05 19:03:12 +03:00
if not test or test[0] in ("y", "Y"):
pass
elif test[0] in ("n", "N"):
return False
elif test[0] in ("q", "Q"):
raise sqlmapUserQuitException
else:
raise
added some fancy Ctrl+C when having multiple targets
2010-11-05 18:59:25 +03:00
some update
2010-09-30 23:45:23 +04:00
except sqlmapUserQuitException:
raise
bug fix (reported by ToR)
2010-11-10 22:44:51 +03:00
except sqlmapSilentQuitException:
raise
Fixes #177 - Don't exit at exception if in "multiple targets" mode (-l or -g)
2010-03-16 15:14:02 +03:00
except exceptionsTuple, e:
more unicode refactoring
2010-06-02 16:45:40 +04:00
e = getUnicode(e)
After the storm, a restore..
2008-10-15 19:38:22 +04:00
Fixes #177 - Don't exit at exception if in "multiple targets" mode (-l or -g)
2010-03-16 15:14:02 +03:00
if conf.multipleTargets:
minor update
2010-11-15 15:19:22 +03:00
e += ", skipping to the next %s" % ("form" if conf.forms else "url")
Fixes #177 - Don't exit at exception if in "multiple targets" mode (-l or -g)
2010-03-16 15:14:02 +03:00
logger.error(e)
else:
minor update
2010-09-27 17:41:18 +04:00
logger.critical(e)
update
2010-09-26 18:56:55 +04:00
return False
After the storm, a restore..
2008-10-15 19:38:22 +04:00
if conf.loggedToOut:
logger.info("Fetched data logged to text files under '%s'" % conf.outputPath)
removed all trailing spaces from blank lines
2010-11-03 13:08:27 +03:00
update
2010-09-26 18:56:55 +04:00
return True
Reference in New Issue Copy Permalink